Skip to content

Add security plans for gh-aspnet-webapp and sample-web-app#118

Merged
CalinL merged 1 commit intomainfrom
feature/custom-agents-with-some-gh-fixes
Feb 5, 2026
Merged

Add security plans for gh-aspnet-webapp and sample-web-app#118
CalinL merged 1 commit intomainfrom
feature/custom-agents-with-some-gh-fixes

Conversation

@emmanuelknafo
Copy link
Collaborator

@emmanuelknafo emmanuelknafo commented Feb 5, 2026

  • Created a comprehensive security plan for the gh-aspnet-webapp blueprint, detailing architecture, data flows, threat assessments, and mitigation strategies.
  • Developed a security plan for the sample-web-app, outlining its three-tier architecture, security posture, threat summary, and implementation checklist.

@emmanuelknafo
Add security plans for gh-aspnet-webapp and sample-web-app
cd91e2b 
- Created a comprehensive security plan for the gh-aspnet-webapp blueprint, detailing architecture, data flows, threat assessments, and mitigation strategies.
- Developed a security plan for the sample-web-app, outlining its three-tier architecture, security posture, threat summary, and implementation checklist.
@emmanuelknafo emmanuelknafo requested a review from CalinL as a code owner February 5, 2026 14:24
@github-actions
Copy link

github-actions bot commented Feb 5, 2026

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA cd91e2b.
Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

Scanned Files

  • .github/workflows/cicd.yml

1 similar comment
@github-actions
Copy link

github-actions bot commented Feb 5, 2026

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA cd91e2b.
Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

Scanned Files

  • .github/workflows/cicd.yml

github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 5, 2026
View reviewed changes
.github/workflows/cicd.yml
AZURE_LOCATION: ${{ github.event.inputs.azure_location || 'DEFAULT_LOCATION' }}
outputs:
acr_name: ${{ steps.deploy.outputs.acr_name }}
webapp_name: ${{ steps.deploy.outputs.webapp_name }}

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow Medium

Unpinned 3rd party Action 'CI/CD for Azure Web App' step
Uses Step
Loading
uses 'azure/webapps-deploy' with ref 'v3', not a pinned commit hash
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 5, 2026
View reviewed changes
blueprints/sample-web-app/bicep/main.bicep
@@ -0,0 +1,192 @@
@description('The Azure region for resource deployment.')

Check failure

Code scanning / templateanalyzer

Use Advanced Threat Protection. Error

Enable Microsoft Defender for Azure SQL logical server.
blueprints/sample-web-app/bicep/main.bicep
@@ -0,0 +1,192 @@
@description('The Azure region for resource deployment.')

Check failure

Code scanning / templateanalyzer

Enable auditing for Azure SQL DB server. Error

Auditing for Azure SQL Database tracks database events and writes them to an audit log. Audit logs help you find suspicious events, unusual activity, and trends.
blueprints/sample-web-app/bicep/main.bicep
resource sqlServer 'Microsoft.Sql/servers@2023-08-01-preview' = {
name: sqlServerName
location: location
properties: {

Check failure

Code scanning / templateanalyzer

Use AAD authentication with SQL databases. Error

Azure SQL Database offer two authentication models, Azure Active Directory (AAD) and SQL authentication. AAD authentication supports centralized identity management in addition to modern password protections. Some of the benefits of AAD authentication over SQL authentication including: Support for Azure Multi-Factor Authentication (MFA). Conditional-based access with Conditional Access. It is also possible to disable SQL authentication entirely and only use AAD authentication.
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 5, 2026
View reviewed changes
blueprints/sample-web-app/bicep/main.bicep
Comment on lines +152 to +164
@description('SQL Database for application data.')
resource sqlDatabase 'Microsoft.Sql/servers/databases@2023-08-01-preview' = {
parent: sqlServer
name: sqlDatabaseName
location: location
sku: {
name: 'S1'
tier: 'Standard'
}
properties: {
collation: 'SQL_Latin1_General_CP1_CI_AS'
}
}

Check failure

Code scanning / checkov

Azure SQL Server threat detection alerts are enabled for all threat types Error

Azure SQL Server threat detection alerts are enabled for all threat types
blueprints/sample-web-app/bicep/main.bicep
Comment on lines +152 to +164
@description('SQL Database for application data.')
resource sqlDatabase 'Microsoft.Sql/servers/databases@2023-08-01-preview' = {
parent: sqlServer
name: sqlDatabaseName
location: location
sku: {
name: 'S1'
tier: 'Standard'
}
properties: {
collation: 'SQL_Latin1_General_CP1_CI_AS'
}
}

Check failure

Code scanning / checkov

Ensure that 'Auditing' is set to 'On' for SQL servers Error

Ensure that 'Auditing' is set to 'On' for SQL servers
blueprints/sample-web-app/bicep/main.bicep
Comment on lines +152 to +164
@description('SQL Database for application data.')
resource sqlDatabase 'Microsoft.Sql/servers/databases@2023-08-01-preview' = {
parent: sqlServer
name: sqlDatabaseName
location: location
sku: {
name: 'S1'
tier: 'Standard'
}
properties: {
collation: 'SQL_Latin1_General_CP1_CI_AS'
}
}

Check failure

Code scanning / checkov

Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers Error

Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers
blueprints/sample-web-app/bicep/main.bicep
Comment on lines +152 to +164
@description('SQL Database for application data.')
resource sqlDatabase 'Microsoft.Sql/servers/databases@2023-08-01-preview' = {
parent: sqlServer
name: sqlDatabaseName
location: location
sku: {
name: 'S1'
tier: 'Standard'
}
properties: {
collation: 'SQL_Latin1_General_CP1_CI_AS'
}
}

Check failure

Code scanning / checkov

Ensure that 'Send Alerts To' is enabled for MSSQL servers Error

Ensure that 'Send Alerts To' is enabled for MSSQL servers
blueprints/sample-web-app/bicep/main.bicep
Comment on lines +152 to +164
@description('SQL Database for application data.')
resource sqlDatabase 'Microsoft.Sql/servers/databases@2023-08-01-preview' = {
parent: sqlServer
name: sqlDatabaseName
location: location
sku: {
name: 'S1'
tier: 'Standard'
}
properties: {
collation: 'SQL_Latin1_General_CP1_CI_AS'
}
}

Check failure

Code scanning / checkov

Ensure the Azure SQL Database Namespace is zone redundant Error

Ensure the Azure SQL Database Namespace is zone redundant
blueprints/sample-web-app/bicep/main.bicep
Comment on lines +101 to +131
@description('App Service for web application.')
resource appService 'Microsoft.Web/sites@2023-12-01' = {
name: appServiceName
location: location
identity: {
type: 'SystemAssigned'
}
properties: {
serverFarmId: appServicePlan.id
httpsOnly: true
siteConfig: {
minTlsVersion: '1.2'
ftpsState: 'Disabled'
alwaysOn: true
appSettings: [
{
name: 'APPINSIGHTS_INSTRUMENTATIONKEY'
value: appInsights.properties.InstrumentationKey
}
{
name: 'APPLICATIONINSIGHTS_CONNECTION_STRING'
value: appInsights.properties.ConnectionString
}
{
name: 'KeyVaultUri'
value: keyVault.properties.vaultUri
}
]
}
}
}

Check failure

Code scanning / checkov

Ensure that 'HTTP Version' is the latest if used to run the web app Error

Ensure that 'HTTP Version' is the latest if used to run the web app
blueprints/sample-web-app/bicep/main.bicep
Comment on lines +101 to +131
@description('App Service for web application.')
resource appService 'Microsoft.Web/sites@2023-12-01' = {
name: appServiceName
location: location
identity: {
type: 'SystemAssigned'
}
properties: {
serverFarmId: appServicePlan.id
httpsOnly: true
siteConfig: {
minTlsVersion: '1.2'
ftpsState: 'Disabled'
alwaysOn: true
appSettings: [
{
name: 'APPINSIGHTS_INSTRUMENTATIONKEY'
value: appInsights.properties.InstrumentationKey
}
{
name: 'APPLICATIONINSIGHTS_CONNECTION_STRING'
value: appInsights.properties.ConnectionString
}
{
name: 'KeyVaultUri'
value: keyVault.properties.vaultUri
}
]
}
}
}

Check failure

Code scanning / checkov

Ensure the web app has 'Client Certificates (Incoming client certificates)' set Error

Ensure the web app has 'Client Certificates (Incoming client certificates)' set
blueprints/sample-web-app/bicep/main.bicep
Comment on lines +84 to +95
@description('App Service Plan for hosting.')
resource appServicePlan 'Microsoft.Web/serverfarms@2023-12-01' = {
name: appServicePlanName
location: location
sku: {
name: 'P1v3'
tier: 'PremiumV3'
}
properties: {
reserved: false
}
}

Check failure

Code scanning / checkov

Ensure the App Service Plan is zone redundant Error

Ensure the App Service Plan is zone redundant
blueprints/sample-web-app/bicep/main.bicep
Comment on lines +59 to +78
@description('Key Vault for secrets management.')
resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' = {
name: keyVaultName
location: location
properties: {
sku: {
family: 'A'
name: 'standard'
}
tenantId: subscription().tenantId
enableRbacAuthorization: true
enableSoftDelete: true
softDeleteRetentionInDays: 90
enablePurgeProtection: true
networkAcls: {
defaultAction: 'Deny'
bypass: 'AzureServices'
}
}
}

Check failure

Code scanning / checkov

Ensure that Azure Key Vault disables public network access Error

Ensure that Azure Key Vault disables public network access
blueprints/sample-web-app/bicep/main.bicep
Comment on lines +101 to +131
@description('App Service for web application.')
resource appService 'Microsoft.Web/sites@2023-12-01' = {
name: appServiceName
location: location
identity: {
type: 'SystemAssigned'
}
properties: {
serverFarmId: appServicePlan.id
httpsOnly: true
siteConfig: {
minTlsVersion: '1.2'
ftpsState: 'Disabled'
alwaysOn: true
appSettings: [
{
name: 'APPINSIGHTS_INSTRUMENTATIONKEY'
value: appInsights.properties.InstrumentationKey
}
{
name: 'APPLICATIONINSIGHTS_CONNECTION_STRING'
value: appInsights.properties.ConnectionString
}
{
name: 'KeyVaultUri'
value: keyVault.properties.vaultUri
}
]
}
}
}

Check notice

Code scanning / checkov

Ensure App Service has a minimum number of instances for failover Note

Ensure App Service has a minimum number of instances for failover
CalinL
CalinL approved these changes Feb 5, 2026
View reviewed changes
Copy link
Contributor

@CalinL CalinL left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved!

@CalinL CalinL merged commit ef9125c into main Feb 5, 2026
28 of 30 checks passed
@CalinL CalinL deleted the feature/custom-agents-with-some-gh-fixes branch February 5, 2026 18:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@CalinL CalinL CalinL approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@emmanuelknafo @CalinL